--- /dev/null
+From stable+bounces-181015-greg=kroah.com@vger.kernel.org Mon Sep 22 20:45:39 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 14:44:48 -0400
+Subject: crypto: af_alg: Convert af_alg_sendpage() to use MSG_SPLICE_PAGES
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Herbert Xu <herbert@gondor.apana.org.au>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Jens Axboe <axboe@kernel.dk>, Matthew Wilcox <willy@infradead.org>, linux-crypto@vger.kernel.org, netdev@vger.kernel.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250922184449.3864288-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit fb800fa4c1f5aee1238267252e88a7837e645c02 ]
+
+Convert af_alg_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather
+than directly splicing in the pages itself.
+
+This allows ->sendpage() to be replaced by something that can handle
+multiple multipage folios in a single transaction.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Herbert Xu <herbert@gondor.apana.org.au>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: Jens Axboe <axboe@kernel.dk>
+cc: Matthew Wilcox <willy@infradead.org>
+cc: linux-crypto@vger.kernel.org
+cc: netdev@vger.kernel.org
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 52 ++++++++--------------------------------------------
+ 1 file changed, 8 insertions(+), 44 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -993,53 +993,17 @@ EXPORT_SYMBOL_GPL(af_alg_sendmsg);
+ ssize_t af_alg_sendpage(struct socket *sock, struct page *page,
+ int offset, size_t size, int flags)
+ {
+- struct sock *sk = sock->sk;
+- struct alg_sock *ask = alg_sk(sk);
+- struct af_alg_ctx *ctx = ask->private;
+- struct af_alg_tsgl *sgl;
+- int err = -EINVAL;
++ struct bio_vec bvec;
++ struct msghdr msg = {
++ .msg_flags = flags | MSG_SPLICE_PAGES,
++ };
+
+ if (flags & MSG_SENDPAGE_NOTLAST)
+- flags |= MSG_MORE;
++ msg.msg_flags |= MSG_MORE;
+
+- lock_sock(sk);
+- if (!ctx->more && ctx->used)
+- goto unlock;
+-
+- if (!size)
+- goto done;
+-
+- if (!af_alg_writable(sk)) {
+- err = af_alg_wait_for_wmem(sk, flags);
+- if (err)
+- goto unlock;
+- }
+-
+- err = af_alg_alloc_tsgl(sk);
+- if (err)
+- goto unlock;
+-
+- ctx->merge = 0;
+- sgl = list_entry(ctx->tsgl_list.prev, struct af_alg_tsgl, list);
+-
+- if (sgl->cur)
+- sg_unmark_end(sgl->sg + sgl->cur - 1);
+-
+- sg_mark_end(sgl->sg + sgl->cur);
+-
+- get_page(page);
+- sg_set_page(sgl->sg + sgl->cur, page, size, offset);
+- sgl->cur++;
+- ctx->used += size;
+-
+-done:
+- ctx->more = flags & MSG_MORE;
+-
+-unlock:
+- af_alg_data_wakeup(sk);
+- release_sock(sk);
+-
+- return err ?: size;
++ bvec_set_page(&bvec, page, size, offset);
++ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size);
++ return sock_sendmsg(sock, &msg);
+ }
+ EXPORT_SYMBOL_GPL(af_alg_sendpage);
+
--- /dev/null
+From stable+bounces-181016-greg=kroah.com@vger.kernel.org Mon Sep 22 20:45:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Sep 2025 14:44:49 -0400
+Subject: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
+To: stable@vger.kernel.org
+Cc: Herbert Xu <herbert@gondor.apana.org.au>, Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>, Bing-Jhong Billy Jheng <billy@starlabs.sg>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250922184449.3864288-2-sashal@kernel.org>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 ]
+
+Issuing two writes to the same af_alg socket is bogus as the
+data will be interleaved in an unpredictable fashion. Furthermore,
+concurrent writes may create inconsistencies in the internal
+socket state.
+
+Disallow this by adding a new ctx->write field that indiciates
+exclusive ownership for writing.
+
+Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations")
+Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 7 +++++++
+ include/crypto/if_alg.h | 10 ++++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -859,6 +859,12 @@ int af_alg_sendmsg(struct socket *sock,
+ }
+
+ lock_sock(sk);
++ if (ctx->write) {
++ release_sock(sk);
++ return -EBUSY;
++ }
++ ctx->write = true;
++
+ if (ctx->init && !ctx->more) {
+ if (ctx->used) {
+ err = -EINVAL;
+@@ -974,6 +980,7 @@ int af_alg_sendmsg(struct socket *sock,
+
+ unlock:
+ af_alg_data_wakeup(sk);
++ ctx->write = false;
+ release_sock(sk);
+
+ return copied ?: err;
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -136,6 +136,7 @@ struct af_alg_async_req {
+ * SG?
+ * @enc: Cryptographic operation to be performed when
+ * recvmsg is invoked.
++ * @write: True if we are in the middle of a write.
+ * @init: True if metadata has been sent.
+ * @len: Length of memory allocated for this data structure.
+ * @inflight: Non-zero when AIO requests are in flight.
+@@ -151,10 +152,11 @@ struct af_alg_ctx {
+ size_t used;
+ atomic_t rcvused;
+
+- bool more;
+- bool merge;
+- bool enc;
+- bool init;
++ u32 more:1,
++ merge:1,
++ enc:1,
++ write:1,
++ init:1;
+
+ unsigned int len;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
